There is a reason the first mass media movie on cyber warfare has the computer WOPR playing games than war. To the technical well-informed individuals who make up the information technology discipline war is a game. WOPR though existed in a cold war period where nuclear Armageddon was always a choice. It represented an advance in command and control of large-scale arsenals and was able to respond to adversarial threats faster than the human operators.
Unfortunately, war isn’t a game but it is ritualized combat.
In the movie War Games the computer system WOPR is housed in a military base, within military networks, running military systems and some errant teenager was able to dial in remotely and access this monstrosity. Fire the information technology staff immediately and bring the chief security officer up on charges of gross negligence. Well that is how we do things now.
In the movie we are treated to the kid playing games with Joshua and teaching the computer the error of war in a mutually assured destruction world. The computer slowly comes to the only obvious conclusion that the only way to win the game is to not play. Cue orchestra, flashy graphics, obvious political over tones of liberal Hollywood leak through in the last seconds. Oblivion for the world avoided, the boy gets the girl in an objectification of women who “merely watch tech and can’t do it” frenzy, and all is forgiven. Do not forget to fire the programmers too.
The movie does serve to give us an idea about hybrid warfare and the role of command and control in systems used to break things and kill people (BTKP). The systems and tools of BTKP are centralized around communication and coordination technologies. The screens in the movie are there to replicate the high tech (of the time) theater command systems. Where are the adversarial units, where are my units, how can I bring death and destruction to the adversary. The political science types euphemistically refer to strategic consequence and operational art. The principle is BTKP let politicians sort it out.
Command of units in the field happens across a wide variety of systems. The military refers to this as the Global Information Grid (GIG) but really it is a series of multi-use communication pathways. A large amount of the strategic and operational traffic happens using relatively benign TCP/IP and Ethernet type networks. Voice, video, and data of all kinds are on these links. As you approach the tactical unit level, even today, the technical sophistication drops rapidly to radios and single use displays. That is not to denigrate the modern soldier or marine at that level. They are far superior technically, than when I served. The issue is bandwidth at the tactical level and possibility of detection.
In the movie WOPR was about taking the angst ridden human out of the nuclear command and control system. Weapons free failure to launch is how the movie starts. The whimsical human emotion of reflecting on the legitimacy of the launch authorization gets the airman “fired” and WOPR hired. Current technologies are moving the human further and further from authorization points and weapons release. As you move up the command and control stack (the military is nothing if analogized best by a stack of pancakes) you find control points intersecting with automation. These control points are often what we refer to as “human in the loop”.
At the strategic level, decision support systems can depict scenarios and current reality of what is happening and what might happen. Stochastic methods allow commanders to run scenarios and based on probabilities generate orders to assets in the field auto-magically. On automated weapons systems, the human gives release (go ahead and BTKP) to a system that then determines the various variables and activates. Anti-missile systems are good examples of this. The human has no hope of aiming, and pulling the trigger on an inbound missile. All the human does is reflect on “do I want to die” and then if negative “I do not want to die” they push a button and the weapons system does the rest.
Current advances in communication and coordination technology (drones, ultra wide band, artificial intelligence) have resulted in the strategic leadership level ability to direct and operate at the tactical level. Examples of this are denigrated by senior leadership and concepts like “Mission Command” are meant to refute the idea of leadership micro-management. The reality is that senior government leadership can watch a tactical unit in the field, commanders can direct two and three tiers below them without chain of command. The joke that the purported United States Drone program is actually a presidential version of X-Box has shallow truth if the fire order is coming from the Whitehouse.
The capability and risks of this form of war inherently rely on the concept of cyber space. Command and control is the “stuff” of cyber space. The concept of communication and coordination is the “activity” of cyberspace. The focus of media and politicians is on the idea that cyberspace is merely computers and networks. These are the tools we use to exploit cyberspace not the domain itself. The medium is the stuff and activities. Cyberspace is not a man made domain it is man exploiting the domain. The water of the sea is not the maritime domain, but the man exploiting the seat with various tools that make up the domain.
Command and control warfare is about attacking the integrity of the decisions by leadership, the integrity of the communications between leadership and tactical assets, the integrity of operational plans, and finally the effectiveness of military assets in the field. Disruption and degradation of military units capacity to BTKP will not likely look like a kinetic attack. The egregious leap in logic by current theoreticians that cyber war will look anything like kinetic war is absurd. Though all war shares precepts of conflict, none of the other domains reflects any other domains conflict at more than a superficial layer. We can force concepts together such as naval gunnery and artillery of the Army. That is mistaking the weapons systems for the operational art of employing the destructive potential. The techniques are not shared, the weapons are operated differently, the target sets are different, and the weapons systems capabilities are vastly different. Comparisons between an M4 rifle system and artillery could be made with similar results.
Reflecting on the concept of command and control warfare and the realities of interdiction of attacks against the integrity of systems is important. The current attack strategy and focus on skills is about computer network warfare. The focus is on the vulnerability exploit path and the associated creation of an access to exploit or exfiltration of information. Interesting that we’ve not got much past a teenager attempting to hack WOPR through an out of band management telephone line.
If we advance the art to the principle of command and control warfare, we start focusing on the integrity and validity of inputs from sensors. On the attack side creating a denial of service is the lowest level, and creating an autonomous integrity challenged stream of information the highest level of effort. Since decisions are based on what the sensors (whether humans, or equipment) it is then possible to force a commander to make poor decisions that based on actual data might be the right decisions. Deception and degradation due to the arrival of late or poor information is well known as the fog of war. In cyberspace we can replicate that principle and exact a heavy cognitive price from commanders.
Whereas, the use of WOPR was to remove humans from the loop and let the computer do what is necessary. In cyber warfare, we can use the computer to create the issues where humans might want to do something but now cannot. Unlike the start of the movie War Games where an airman would not turn his key we can now create a situation where the computer says no. Perhaps an example situation is the silo bunnies do not get the order to turn the key in the first place. Maybe worse, but far more likely, nobody knows the adversary has launched. The tools and techniques of waging modern warfare that gives significant increase in capability then become a significant detriment to waging war.
The focus on computer network attack, exploit, and defense is done absent this considerations. The focus on information technology rather than the associated business rules of waging war has resulted in significant degradation in the resiliency of information assets. Merely thinking about information security or computer hygiene will not solve this problem. Modeling the systems at a strategic, operational, and tactical level is likely required. The concepts are nothing new, but have been forgotten in move towards automation without reflection on the command and control aspect. This creates then a strategic blindness in leadership and operators of the technology. Thus a formally secure environment becomes an attack surface upon which kinetic war might succeed.